4 Answers
4

Yes, you can do this using the built-in Disk Images of Mac OS X. A disk image (or DMG file) is a file which, when opened, presents itself as a removable Mac OS X volume, similar to a removable hard drive. Many OS X applications are deployed on disk images. If you encrypt your home directory using FileVault, you're creating a spare bundle disk image.

You can create OS X disk images which are compressed and/or encrypted. However, if you create a compressed DMG, it will be read-only, so that may or may not work for you.

To create a new, empty encrypted disk image in OS X:

Open Disk Utility, which is under the "utilities" folder of the "Applications" folder.

From the File menu choose New > Blank Disk Image...

In the dialog that appears, you can specify where to save the disk image, the name of the volume, and choose the type of encryption:

Make sure to choose either "128-bit AES encryption (recommended)" or "256-bit AES encryption (more secure)" from the "Encryption" menu. Also, be sure to set a size for the disk image.

If you create a sparse bundle (newer, and may be more reliable) or a spare image (older, can become corrupted easily if it's open and your computer is shut down improperly) then the image file will start small and will grow as you add files to it, up to a maximum size you specify.

If you create a "read/write disk image", then the image file will start at the maximum size specified in the dialog box.

After you save the disk image file, you'll be prompted for a password and verification. Once completed, you'll have a new volume on your desktop and in the "Computer" view where you can begin dropping files!

To create a compressed, read-only image, you can do one of two things:

Follow the same steps above, however instead of New > Blank Disk Image..., choose New > Disk Image From Folder.... This will first ask you to select a folder full of files. From there, it will present a similar dialog to the one above, but will not prompt for a volume name or size; it will use the name of the folder and the size will be automatically calculated. Be sure to choose to make a compressed image and don't forget the encryption

Alternatively, if you have created a blank image and filled it with files, you can convert that image to a compressed image. This is a handy way to back up your encrypted files. Keep the master read/write uncompressed image as your day-to-day workspace, and periodically convert it to a read-only compressed image which you can back up to an external device. To do this, choose Images > Convert... within Disk Utility. Select the DMG file, and then you'll see the same screen as above.

Protip: if you drag and drop a folder onto Disk Utility's dock icon it will automatically offer to create a disk image out of that folder.

Protip #2: If you create an encrypted disk image out of an unencrypted folder and you want to delete the original, unencrypted files, remember to use secure erase otherwise you risk leaving confidential information on your hard drive.

+1 Excellent instructions. I have an addition to protip #2, though: usually previous versions of the files will have been deleted insecurely (most programs do this when saving changes), so it's best to securely erase the free space on the disk afterward (run Disk Utility, select the volume in the sidebar, then the Erase tab, then click Erase Free Space. When it asks how thorough to be, select the basic "Zero Out" mode).
–
Gordon DavissonDec 2 '11 at 6:11

Thank you very much! Indeed very helpful, especially with the Protips. It is fast. What I like best, is that the password I created is stored in the keychain automatically.
–
gentmattDec 2 '11 at 7:53

1

While storing the password for an encrypted image in the Keychain is convenient, it's also something of a security risk because anyone who gains access to your account also has access to the DMG file. Consider using a password container like Password Wallet or 1Password instead. Or create a separate keychain file, using a second password, to contain your dmg passwords. This keychain file can be locked and unlocked separately from the login keychain.
–
jabergMar 3 '12 at 15:24

Great points @jaberg. I also recommend keeping multiple keychains, one for everyday stuff and one for more secure items.
–
JoshMar 17 '12 at 22:13

For zip and openssl the password will be visible to all users while the encryption is running. This is usually not a problem on a desktop system, otherwise you may consult the openssl man page for ways to read the password from a file or similar.

Jason's article provides instructions to pipe files directly in and out of vim and the secret sauce for creating alias commands that make encrypting and decrypting easy.

As I said, I make use of the built-in DMG tools, but if you're a command line user, particularly of vim, or if you need to insure that plaintext copies of your secret files never exist on disk or in swap files, Jason's method is worth considering.

It's worth re-iterating that decrypting the file and then writing the decrypted data to the hard drive is dangerous (as in the gpg example in this answer). It is difficult (almost impossible with some drives) to definitively erase the unencrypted file. If you're serious about security use an encrypted dmg - it is the only secure option. You can create encrypted dmg's from the command line using the diskutil command line tool (it offers everything in Disk Utility.app and more). In recent versions of OS X, swap is always encrypted unless you disable it (hard to do).
–
Abhi BeckertNov 18 '12 at 15:02